-
SSO failed after Upgrading Opensearch or Wazuh 4.9.0 : failed parsing SAML config Or 500 internal error
In the latest versions (Wazuh 4.9.0 & OpenSearch 2.10*), SSO has updated the exchange_key format requirements (see: exchange key settings), now mandating it to be 64 characters long. This guide outlines three methods to generate the exchange key. If one method doesn’t resolve the issue, proceed to the next. Apply the change to the /etc/wazuh-indexer/opensearch-security/config.yml…
-
Enrich Opensearch/Wazuh Alerting module notification using Painless Scripts (Mustache templates)
Use Case: Enrich slack notifications with Wazuh FIM & Vulnerability alerts details. Painless scripts (Mustache templates): Opensearch/Wazuh Monitor Queries: Alerting Module Configuration: The monitor must be configured using Extraction query editor. Then add & test the query: Define a simple trigger whenever the query return values higher than 0: Add your painless script, then send a…
-
Test Logstash Pipelines/Filters Before Implementation
Use case: Detect if the parsed logs contain single or multiple warning messages then add a field stating both cases. Logstash configuration & testing: Suppose that we have the following log files representing both cases described above: Reading the logs we can see that the field [waf][warnMsg] separates the warning messages using a semi-colon ; in the case of…
-
Elevate Security with Anomaly Detection in Wazuh
The current Wazuh stack (Version 4.7.*) does not have the Anomaly detection plugin out-of-the-box, this article describes how to install/configure it in a docker and standard installation. The Anomaly detector uses the Random Cut Forest (RCF) algorithm for automatic, near-real-time anomaly detection. This unsupervised machine learning algorithm calculates anomaly grades and confidence scores to distinguish…
-
Wazuh Endpoints Inventory Packages in one Dashboard
Currently, The agents’ packages are pulled using direct API calls and displayed on a Dashboard in the Wazuh app. This blog describes how to index the packages into the Wazuh indices and display them in a custom dashboard. Note that the script used to pull the packages leverages the use of the Wazuh https://github.com/wazuh/wazuh/tree/master/framework/wazuh simplifying the task.…
-
Wazuh & eBPF: Monitor TCP connections effectively
Network monitoring can be a powerful method for gaining insights into your server environment, but it is often a complex and resource-intensive task. The Extended Berkeley Packet Filter (eBPF) technology solves these challenges by providing pre-configured resources, including the bcc-tools package with its pre-built eBPF programs. In this blog post, I will showcase the eBPF…
-
Get notified when Elasticsearch/Wazuh Indexer/ OpenSearch stops indexing data
Prerequisites: Use case: Monitor Wazuh indexer/Elasticsearch/Opensearch Indexing and get a discord notification if no events indexed for the last 5 minutes. Monitoring Script: Wazuh Manager Configuration: Place the script in the Wazuh manager under the path /var/ossec/integrations assigning the following permissions and ownership: Add the configuration to run the script and the rules to trigger the alerts…
-
Discord & Wazuh Integration
Discord is a popular communication platform where people chat, share info, and connect. Integrating Wazuh alerts into Discord is key for quick and effective security updates. It can be deemed as a security guard in your digital hangout, making sure everyone stays informed and acts fast if there’s a potential threat. In this guide, we’ll…
-
Wazuh in K8S (Kubernetes): Enable archives index & get all events
Capturing all coming logs and visualizing them can be a requirement andenabling that option in an on-prem environment can be achieved as describedin the official guide here https://documentation.wazuh.com/4.4/user-manual/manager/wazuh-archives.html; however, In K8s, restarting theFilebeat service causes restarting the Wazuh manager pod which will wipeup the changes and revert the initial configuration (archives disabled). This article describes…
-
HTTP Strict Transport Security(HSTS) for Wazuh & Kibana
HTTP Strict Transport Security (HSTS) is a vital security measure in today’sdigital landscape, where data security and privacy are paramount. With the increasing sophistication of cyber threats, safeguarding sensitiveinformation transmitted over the internet has become critical for individualsand organizations. HSTS plays a crucial role in this regard by enforcing secure connections. Itinstructs browsers to only…